Industrial cybersecurity is standing at a crossroads where ‘locking down the perimeter’ is no longer enough to protect increasingly interconnected factories, grids, and process environments. Traditional defenses fall short when IT networks are connected to OT systems and attackers leverage this broadened attack surface to cause production interruptions, safety degradation, and negate reliability improvements that took years to develop within a matter of a few minutes. More than one-third of manufacturers identify enhancing IT/OT security as a key business priority, and nearly half say they intend to validate uptime and quality using real-time analytics and AI, rather than just relying on these technologies to identify breaches.
Across OT environments, unplanned downtime can run in the hundreds of thousands per hour. Organizational security discipline helps decrease that risk by providing enhanced visibility and better response around the shop floor. Operational metrics like uptime, safety, and throughput are increasingly used to gauge cyber maturity because mature programs show up in reliability and recovery outcomes rather than log counts. Meanwhile, digital transformation and IT-OT integration are calling for identity-based and continuously monitored architectures to enable operations rather than stand in their way.
Regulatory requirements, from the EU NIS2 to sector-specific resilience expectations, are increasing the demands for demonstrating resilience as opposed to compliance. In addition, cyber insurance is asserting itself as a factor in how risk is quantified and mitigated, pushing organizations to align security with quantifiable business value.
Why basic protection no longer cuts it across industrial cybersecurity
As traditional perimeter defenses lose effectiveness in increasingly connected industrial environments, Industrial Cyber spoke with industrial cybersecurity experts to understand which operational and business pressures are forcing security leaders to move beyond basic protection toward demonstrable performance impact. The discussion also examines how prepared most organizations really are to make that shift today.
“For most organisations, particularly operators of essential services, compliance remains the dominant pressure forcing organisations to confront OT cybersecurity,” Kirsty Perrett, a lead cyber engineer and product authority for OT at Thales UK, told Industrial Cyber. “Regulatory scrutiny, expanding standards and audit expectations are now mandated rather than optional. Conversely, this has brought long-overdue visibility and investment into OT environments.”
She noted that the shift that matters is when organisations stop begrudging compliance and start using it as leverage to examine how the business truly operates. In many cases, regulation is the only moment when organisations are compelled to look end-to-end across people, processes, technology, and governance rather than applying isolated security controls at the perimeter.
Perrett added that as perimeter defences lose relevance in cyber-physical systems, risk increasingly resides within tightly coupled operational environments that cannot simply be patched, isolated, or shut down. “Securing the boundary without shaping internal system behaviour leaves the most consequential risks untouched. Every security decision introduces trade-offs. As with Newton’s Third Law, every action taken to improve security creates a reaction elsewhere in the system, often increasing complexity, fragility, or operational ambiguity if not carefully managed.”
She highlighted that the organizations making the most progress are those using compliance pressure to force collaboration across teams rather than allowing resilience to be delegated to a single function. “When prioritised by criticality and aligned to regulatory obligations, this approach creates a rare win-win outcome, satisfying compliance while building a more resilient, sustainable, and operationally credible business for the future.”
Mike Hoffman, technical leader at Dragos, told Industrial Cyber that increasing pressure to drive production efficiency, reduce downtime, and extract more value from industrial data is pushing organizations to expand connectivity well beyond what traditional perimeter defenses were designed to protect. “These business-driven initiatives are forcing security leaders to think in terms of measurable operational impact rather than pure prevention.”
Yet, he added, most organizations remain underprepared for this shift due to inconsistent implementation and operationalization of foundational OT controls, such as the SANS Five ICS Critical Controls, and limited experience in managing risk in highly connected environments.
“In highly connected industrial environments, operational risk is the dominant pressure pushing security leaders beyond perimeter defense,” Jeffrey Macre, industrial security solutions architect at Darktrace, told Industrial Cyber. “Downtime now directly impacts revenue, safety, brand trust, and regulatory exposure. OT leaders are increasingly asked not just whether environments are secure, but whether they can keep running when something goes wrong. The conversation has shifted from breach prevention to operational survivability.”
Macre also underlined that most organizations understand this shift conceptually, but few are prepared to execute on it. “Asset inventories and segmentation provide awareness, not resilience. The real gap is translating cyber insight into operational decisions by understanding normal industrial behavior and identifying early deviations before disruption occurs.”
Dr. Terence Liu, CEO of TXOne Networks, told Industrial Cyber that in IT, “we clearly see CISOs shifting their focus from pure protection to broader cybersecurity governance. In OT, however, maturity is still far behind. Most organizations do not yet have adequate protection in place.”
“With IT–OT convergence, and more external people and devices entering plants, traditional perimeter defenses are no longer effective,” Liu mentioned. “Real OT protection must be deployed inside the plant floor, as close to machines as possible — and it must work with zero impact on production. Lacking OT talent and standard operating procedures, many organizations get stuck. As a result, they turn to visibility tools to build asset inventories and manage vulnerabilities. That helps at the NIST CSF ‘Identify’ stage. But without moving to Protect and Detect & Respond, visibility alone has very limited impact on reducing operational risk.”
Protecting production through cybersecurity discipline
The executives delve into how leading industrial organizations are redefining cyber risk through operational metrics, such as uptime, safety, throughput, and product quality, thereby moving it out of the compliance silo and into day-to-day operations. They also cite concrete cases where disciplined cybersecurity investments have measurably improved asset availability, stabilized production processes, and shortened recovery times following disruption.
Perrett said that organisations are beginning to reframe cyber risk in operational rather than purely technical terms. Instead of focusing primarily on the likelihood of attack or vulnerability exposure, they are asking how cyber events could affect availability, safety margins, process stability, and recovery timelines.
“In practice, this reframing requires closer alignment between cybersecurity, engineering, operations, and safety,” Perrett assessed. “In cyber-physical environments, risk is embedded in system behaviour, not only confined to networks or endpoints. Understanding how systems normally operate, interact, and how they degrade and recover becomes more important than identifying individual technical weaknesses alone. This shift is reflected in clearer access and change discipline, better-defined recovery pathways, and explicit decision authority during disruption.”
She added that while these activities are often labeled as cybersecurity, their value lies in reducing ambiguity and supporting safe, adaptive operational behavior under stress, rather than simply preventing intrusion.
“Leading industrial organizations are reframing cyber risk by directly mapping OT threats to operational impacts such as uptime, safety, throughput, and HSSE outcomes, often using frameworks like ISA/IEC 62443,” according to Hoffman. “A persistent gap remains in resilience and recovery, as many organizations lack well-defined and exercised OT BCP/DR plans.”
Through OT BCP/DR workshops and the SANS OT Disaster Recovery Quick Start Guide, Hoffman added that he has seen organizations meaningfully improve recovery time, operational stability, and confidence in sustaining production after cyber events.
Macre mentioned that leading industrial organizations now frame cyber risk using the same language as operations: uptime, safety margins, throughput stability, and recovery time. Cyber risk is increasingly treated as a contributor to process risk, not a separate IT concern.
“I have seen organizations significantly reduce recovery time by detecting subtle anomalies days or weeks before failure occurred, well before alarms were triggered,” according to Macre. “In these cases, cybersecurity acts less like a gatekeeper and more like an early warning system for operational instability, improving predictability and resilience rather than simply preventing incidents.”
Liu said that the reality is that many organizations have not even achieved OT compliance yet — whether with external standards like IEC 62443 or with their own internal cybersecurity policies. “Translating IT policies into OT often takes years, and real deployment takes even longer. But OT has a very clear priority: availability first. Security in OT is expected to improve uptime, process stability, and recovery time — and at the same time, the security solution itself must never compromise availability or stability.”
He added that this is the non-negotiable requirement for anyone serious about OT cybersecurity.
IT-OT convergence, AI increasingly reshape plant security
From their perspective, the executives highlight which architectural and technological shifts are enabling cybersecurity to support, rather than impede, plant operations. These include identity-centric access, real-time visibility, IT-OT convergence, and the growing use of analytics and AI. They also examine whether this evolution is being driven primarily by escalating adversary activity in OT environments, or by executive pressure to show clear business value from security investments.
“The most enabling shift is away from single tool-centric security toward platforms, architecture, context, and system understanding,” according to Perrett. “Rather than wrapping controls around operational environments, organisations are increasingly embedding resilience considerations into process design, governance and operational workflows.”
She added that while compliance pressure and cyber incidents are driving large-scale modernisation and legacy replacement programmes, resilience is more often strengthened through disciplined integration and architectural alignment than wholesale rip-and-replace. “Adding sensors, analytics, or AI can absolutely provide value, but only once process intent, safety boundaries, and operational ownership are clearly understood and exercised. Ultimately, the move toward performance-oriented OT security is being driven as much by leadership seeking resilient, efficient operations as by the changing threat landscape.”
Hoffman identified that several architectural shifts are enabling cybersecurity to actively support plant operations rather than impede them, most notably the adoption of cloud-enabled OT architectures, identity-centric secure remote access, and real-time network visibility. OT-focused secure remote access with MFA, session recording, and logging enables efficient remote support without sacrificing safety, while network security monitoring (NSM) increasingly supports operational troubleshooting alongside threat detection.
He added that this evolution is being driven by a combination of rising adversary activity targeting OT environments and executive pressure to demonstrate tangible business and operational value from security investments.
“The most impactful shift is moving away from static, rules-based security toward adaptive, behavior-driven analytics,” Macre said. “Asset visibility is necessary, but visibility alone does not reduce risk. What enables operations is understanding what normal looks like across OT processes, users, and devices, and detecting deviations that actually matter.”
He added that when AI-based anomaly detection establishes this baseline, organizations gain a clearer view of where risk truly exists. “Vulnerabilities can then be prioritized based on realistic exploitability within the environment, rather than generic severity scores. In many cases, this shows that disruptive patching introduces more operational risk than the vulnerability itself. This shift is driven by both increasingly capable adversaries and executive pressure to protect uptime, not just compliance metrics.”
Liu said that any security control that hinders operations will never be accepted by plant directors and will never scale. “So, whether it is visibility, segmentation, or anti-malware, the first principle must be minimal impact on operations and productivity. That said, security could not just avoid harm — it could actively support operations. A clear example is using AI to learn local operational behavior and detect anomalies. If a security device sees a critical PLC command coming from an unusual source, it could indicate an attack or a human error.”
He added that using AI to build local, operationally aware allowlists is exactly how security can become part of operations, not an obstacle to it.
OT cyber maturity shows up in reliability metrics
The executives assess what evidence shows that more mature OT cybersecurity programs can directly improve operational reliability and reduce unplanned downtime. They also examine where organizations most often underestimate or overlook this connection.
Perrett sees growing evidence that mature OT cybersecurity programmes improve not only reliability but also operational confidence and efficiency. “Organisations with strong visibility, disciplined access control, and exercised response and recovery plans develop a deeper understanding of how their systems actually function. This enables earlier detection of abnormal behaviour, reduces human error, and supports predictable maintenance and recovery activities such as managed backups and configurations.”
She noted that when security is designed into and around the system rather than applied solely at the perimeter, it can support safer automation, improved productivity, and more confident and efficient day-to-day operations.
“Improved reliability, while positive, should not be mistaken for cyber resilience,” according to Perrett. “Reliability is only one attribute within a broader set of interdependent characteristics that shape how cyber-physical systems behave under stress. Resilience emerges when engineering, operations, safety, and cybersecurity collectively shape system behaviour by understanding complex interactions rather than relying on security alone.”
“More mature OT cybersecurity programs consistently demonstrate improvements in operational reliability through the use of capabilities like network security monitoring (NSM), which provides continuous visibility into system health as well as security events,” Hoffman said. “Organizations that effectively align tools with the needs of automation engineers, not just security teams, can use this visibility to quickly troubleshoot DCS and SCADA connectivity issues, identify misconfigurations, and reduce unplanned downtime. Many organizations underestimate this connection by treating cybersecurity tools as purely defensive rather than as shared operational assets that can directly support reliability and uptime.”
Macre observed that more mature OT cybersecurity programs consistently improve operational reliability by reducing unplanned downtime and shortening mean time to recovery.
“Early detection of abnormal controller behavior, misconfigurations, or lateral movement often prevents small issues from escalating into outages,” he added. “Organizations underestimate this connection because cybersecurity is still viewed as reactive. When security platforms are tuned to OT behavior, they often surface early indicators of instability that traditional process monitoring misses, effectively becoming part of reliability engineering.”
Liu identified that the real issue is that machine-level protection has simply been too hard to implement. “That is why we plan to use GenAI to capture and share deployment know-how — to lower the barrier and make OT security practical at scale.”
Do cybersecurity regulations truly build cyber resilience?
The executives address whether current industrial cybersecurity regulations genuinely promote resilience and operational performance, or whether they still reinforce checkbox-driven compliance. They also assess how effectively today’s frameworks account for safety, availability, and production impact, compared with traditional IT risk models.
Regulation has played an important role in raising the baseline of OT cybersecurity, particularly in sectors where cyber risk was historically under-addressed, Perrett said, adding that for many organisations, compliance remains the initial trigger for investment.
“Regulation alone does not deliver cyber resilience,” according to Perrett. “More mature operators use regulatory pressure as an opportunity to step back from short-term audit fixes and consider the long-term continuity, safety, and sustainability of their operations. When interpreted through an operational and safety lens, regulatory requirements can drive earlier and more informed decisions that strengthen resilience rather than simply satisfy audits.”
Hoffman said that current industrial cybersecurity regulations play a mixed role. “They do help raise baseline security maturity and awareness across regulated sectors, but many still risk reinforcing checkbox-driven compliance rather than true operational resilience. Most frameworks fall short in fully accounting for safety, availability, and production impact, often borrowing assumptions from IT risk models.”
However, he highlighted that approaches like the U.K.’s CAF 4.0, for example, stand out by emphasizing evolving threat capabilities, continuous improvement, and outcomes more closely tied to real-world OT operations.
“Most industrial cybersecurity regulations still emphasize checkbox-driven compliance. While they improve baseline hygiene, they often fail to measure what matters most in OT environments: safe and continuous operation,” Macre said. “Frameworks rarely account for how controls affect availability, recovery, or production risk. Compared to traditional IT risk models, many regulations lag in recognizing that resilience, not prevention alone, is the true objective of industrial cybersecurity.”
Liu said that compared with IT, OT cybersecurity faces not only a maturity gap, but also far greater practical constraints. “For most manufacturers, there are still limited mandatory regulations. Many reference IEC 62443, but implementing its security levels in real plants is extremely challenging. Since most organizations are just getting started, a common approach is to form a small task force to translate IT security policies into practical OT rules.”
He added that the priority should be the basics: segmentation, virtual patching, secure remote access, supply chain inspection, and endpoint protection. If internal policies can consistently cover these fundamentals, organizations can already reduce a large portion of OT risk.
Growing grip of insurers on industrial cyber risk
The executives focus on how the expanding role of cyber insurance is shaping security architecture, risk assessment, and incident response planning in OT environments. They also consider whether insurers are reinforcing sound industrial security practices or introducing new constraints that asset owners must learn to navigate.
Perrett observed that cyber insurance is increasingly influencing OT cybersecurity strategies by driving greater scrutiny of access control, visibility and recovery preparedness. In some cases, this has prompted more substantive conversations about exposure and response capability, which can support resilience.
“In practice, insurance can also reinforce narrow interpretations of security if requirements focus purely on control presence rather than system behaviour,” she added. “Insurance can highlight risk, but it cannot substitute for shared organisational ownership of resilience. Protecting cyber-physical processes depends on people, discipline, and cross-domain collaboration, and that responsibility cannot be transferred or insured away.”
Citing insights from the recent Dragos 2025 OT Security Financial Risk Report, Hoffman noted that cyber insurers are increasingly influencing OT security by favoring defensible architectures, improved visibility, and well-rehearsed incident response, as these controls can be directly tied to reduced financial risk. “Overall, insurers are reinforcing good industrial security practices by introducing data-driven risk benchmarks and economic incentives, though asset owners must also navigate tighter underwriting requirements and coverage constraints tied to demonstrated maturity.”
“Cyber insurance is increasingly shaping OT security architecture and incident response planning. Insurers are encouraging better visibility, documented controls, and faster response capabilities, which can reinforce stronger fundamentals,” according to Macre. “However, risk emerges when insurance expectations are driven by IT assumptions rather than industrial reality. Asset owners must balance insurer requirements carefully to avoid controls that unintentionally compromise safety or availability.”
Liu recognized that for some customers, cyber insurance requirements are the trigger that pushes them to improve OT cybersecurity. “From our perspective, that is a positive development — anything that accelerates better protection for industrial environments is welcome,” he concluded.
